来源

关联漏洞

描述

Enviroment and Nuclei template to test CVE-2025-32463

介绍

# CVE-2025-32463 - Setup and Execution Guide

## Containerized Environment Setup

```bash
docker-compose up --build -d
```

## Signing the Nuclei Template (Required for Code Engine)

This template uses `code` engine which requires signing for security reasons. The template is already signed in this repository.

### Signing keys setup (already configured)

The `docker-compose.yaml` is configured to mount your Windows Nuclei signing keys from `%APPDATA%\nuclei\keys` into the containers. This allows the signed template to be verified.

### If you need to re-sign the template on your host:

```bash
# On Windows host (requires Nuclei installed)
nuclei -t cve-2025-32463.yaml -sign

# This will sign the template and add a digest field
```

**Note:** The first time you run this command, Nuclei will create signing keys in `%APPDATA%\nuclei\keys` and prompt for:

1. User/Organization Name
2. Passphrase for the private key

## Execute Nuclei scan inside the target container

### Vulnerable Sudo Version

**Linux/macOS/Git Bash:**

```bash
docker exec -u testuser vulnerable-sudo-target sh -c 'nuclei -itags local -t /tmp/template.yaml -target localhost -code'
```

**Windows PowerShell/CMD:**

```powershell
docker exec -u testuser vulnerable-sudo-target sh -c "nuclei -itags local -t /tmp/template.yaml -target localhost -code"
```

**Alternative (works on all platforms):**

```bash
docker exec -u testuser vulnerable-sudo-target nuclei -itags local -t /tmp/template.yaml -target localhost -code
```

**Notes:**

- The `-code` flag is required to enable code protocol-based templates
- Use `sh -c '...'` to avoid Windows path conversion issues with MSYS2/Git Bash
- The template should show: `[INF] Executing 1 signed templates from <your-username>`

### Patched Sudo Version

**Windows PowerShell/CMD:**

```powershell
docker exec -u testuser patched-sudo-target sh -c "nuclei -itags local -t /tmp/template.yaml -target localhost -code"
```

**Alternative (works on all platforms):**

```bash
docker exec -u testuser patched-sudo-target nuclei -itags local -t /tmp/template.yaml -target localhost -code
```

**Notes:**

- The `-code` flag is required to enable code protocol-based templates
- Windows Git Bash: Use double quotes `"..."` or the alternative command without `sh -c`
- The template should show: `[INF] Executing 1 signed templates from <your-username>`

## Alternative: Manual Exploit Test

If you want to verify the vulnerability without signing the Nuclei template, you can run the exploit script directly:

```bash
# Copy and run the exploit script
docker cp exploit.sh vulnerable-sudo-target:/tmp/exploit.sh
docker exec -u testuser vulnerable-sudo-target bash /tmp/exploit.sh

# Expected output: "woot!" followed by a root shell (in interactive mode)
```

## Expected Output

### Nuclei Scan Output - Vulnerable Container

```bash
[CVE-2025-32463] [code] [critical] localhost ["VULNERABLE UID=1000 EUID=0"]

[INF] Executing 1 signed templates from <your-username>
[INF] Scan completed in 140.454595ms. 1 matches found.
```

**Detection confirmed:** `UID=1000 EUID=0` proves that code from testuser (1000) executed with root privileges (0).

### Nuclei Scan Output - Patched Container

```bash
[INF] Executing 1 signed templates from <your-username>
[INF] Scan completed in 143.319373ms. No results found.
```

**No vulnerability detected** - The patched sudo version prevents the library loading.

## Troubleshooting

### Issue: "Skipping unsigned template[s]" warning

This happens when:

1. The template hasn't been signed - Re-sign it on your host with `nuclei -t cve-2025-32463.yaml -sign`
2. The signing keys aren't mounted - Verify `docker-compose.yaml` has the volume mounts for `${APPDATA}/nuclei/keys`
3. Nuclei can't find the keys - Make sure the keys exist in `%APPDATA%\nuclei\keys` on your Windows host

### Issue: Permission denied errors when running Nuclei

**Root cause:** When Docker mounts volumes to paths that don't exist, it creates parent directories as `root:root`. This prevented `testuser` from writing Nuclei config files.

**Solution:** The Dockerfiles now pre-create these directories with correct ownership:

```dockerfile
RUN mkdir -p /home/testuser/.config/nuclei/keys \
    && chown -R testuser:testuser /home/testuser/.config
```

If you still see this error, rebuild the containers:

```bash
docker-compose down
docker-compose up --build -d
```

### Issue: Template not detecting vulnerability

The code-based template may require specific execution context. Use the manual exploit test as an alternative:

```bash
docker exec -u testuser vulnerable-sudo-target bash /tmp/exploit.sh
```

## Shutdown the environment

```bash
docker-compose down
```

## See Also

For detailed technical explanation of the vulnerability, attack vectors, and detection methodology, refer to the **[Technical Notes](TECHNICAL-NOTES.md)** document.

文件快照

 [4.0K]  /data/pocs/625d94a71844494560dbdf63b590753e59604616
├── [3.0K]  cve-2025-32463.yaml
├── [1.2K]  docker-compose.yaml
├── [1.3K]  exploit.sh
├── [   0]  output.txt
├── [4.0K]  patched
│   └── [1.2K]  Dockerfile
├── [4.8K]  README.md
├── [1.1K]  sign-template.ps1
├── [ 11K]  TECHNICAL-NOTES.md
└── [4.0K]  vulnerable
    └── [1.7K]  Dockerfile

2 directories, 9 files

备注